Abstract: A method for setting up a communication channel for exchanging data between a server device and a client device is provided. The method includes: transmitting authentication information from an issuer device to the client device; transmitting the authentication information from the client device to the server device in a cryptographic security protocol, in particular in a TLS handshake protocol; authenticating the client device by means of the server device depending on the received authentication information; and setting up the communication channel between the server device and the authenticated client device by means of the cryptographic security protocol. The authentication of the client device can be carried out in the context of setting up the communication channel. In this case, the communication channel is established by means of the cryptographic security protocol.

Abstract: An apparatus, a security device, a security system comprising the security device and the apparatus, and a method for generating an apparatus-specific apparatus certificate for the apparatus includes coupling the security device to the apparatus, a one-time useable private signing key being stored in the security device, storing apparatus-specific identification information in the security device, accessing the private signing key in the security device, generating the apparatus-specific apparatus certificate depending on the stored identification information in the security device, the apparatus-specific apparatus certificate being signed using the private signing key, and preventing a further access to the private signing key such that it becomes possible to generate an apparatus-specific apparatus certificate for an apparatus with little complexity, in particular without using a public key infrastructure.

Abstract: A vehicle accumulator connected to a charging device is charged by controlling a configurable charge program executed by a control unit of the charge device. The configurable charge program is obtained from a charge program memory, so that the vehicle accumulator can be charged in an optimal manner with an individual charging characteristic.

Abstract: A modular security control apparatus for the protected transfer of network packets is provided. In particular, an exchange of network data (e.g. network packets) between a first internal source network and a second internal network (e.g. second destination network) via a non-trustworthy internal and/or external network (first destination network) is made possible.

Abstract: Provided is a method for decoupled transmission of data between networks having different security requirements, in which, in a first network having high security requirements, first data from a first application are transmitted in a communication exclusively between components within the first network via multiple communication links, data being captured in the first network by at least one monitoring device per communication link in a decoupled manner and being transmitted to a second network having lower security requirements. Also, a corresponding arrangement is also provided.

Abstract: A method for providing a security function, in particular a cryptographic function, for a device, wherein the following method steps are carried out: receiving a request to execute the security function; loading a security application for the security function via a control application, wherein the control application is stored on a first internal memory of a security module and the security application is transferred from a memory which is external to the security module; checking an integrity of the security application by means of security information; executing the security application and providing the security function, wherein the execution and provision steps are carried out after the successful integrity checking step.

Abstract: Provided is a method for the secure, computer-aided execution of program instructions of an application, including the following method steps. The method includes a step of switching on a learning mode of an execution environment. The method includes a further step of performing the application in the execution environment while the learning mode is switched on, wherein program instructions of the application are performed for a selected predetermined application scenario and the execution environment assigns a first application scenario-specific validity information to the performed program instructions. The method includes a step of switching on a working mode of the execution environment, wherein, in the working mode, the execution environment checks the first validity information of the program instructions, and wherein the execution environment executes the program instructions as a function of their validity information.

Abstract: An apparatus for detecting a physical manipulation on a security module that stores security-relevant data includes a sensor device for generating sensor data that describe a physical influence on the security module, and a first and a second monitoring device, wherein the first monitoring device is set up to receive the sensor data from the sensor device and to take the sensor data as a basis for generating first monitoring data, and the second monitoring device is set up to receive the first monitoring data from the first monitoring device and to use the received first monitoring data to detect a manipulation of the security module. Two monitoring devices communicating with one another that in each case can discern a manipulation on the security module are used to ensure a high level of security for the security module.

Abstract: A method and an apparatus for transmitting data from a transmitter in a first communication network (21) to a receiver in a second, safety-critical application network (22) comprises an input buffer unit (31), an output buffer unit (32), a waiting unit (33) and a testing unit (34). The input buffer unit (31) provides the data that are to be transmitted. The waiting unit (33) detects an input time for the data that are to be transmitted, ascertains a dwell time for the data and stores the data that are to be transmitted and/or a check value for the data that are to be transmitted. The testing unit (34) is designed to test the data that are to be transmitted, following expiry of the dwell time, using a test pattern (41) that is up-to-date following expiry of the dwell time. The output buffer unit (32) is designed to provide the data for the receiver if the data have been deemed uncritical during the check. The test pattern preferably relates to a virus pattern.

Abstract: A heterogeneous home network (with possibly multiple hops between devices) uses a push button configuration mechanism that ensures only one single new network node device is registered for a single push button key press event and overlapping Push-Button Configuration sessions within the heterogeneous network are prevented by an enhanced mechanism for running Push Button Configuration sessions based on a Push-Button Configuration handshake procedure triggered and initiated by a virtual or physical Push-Button-Event on a new device, which wants to join the heterogeneous network for a user friendly security bootstrapping, in which multiple network node devices in the heterogeneous network belonging already to the heterogeneous network are involved in registering the new device. The Push-Button Configuration handshake procedure is initiated to get a permission information to join the network or to proceed with the Push-Button Configuration or to get a rejection information not to join the network.

Abstract: To improve the access control in regard to safety and protection of network operation and network data when controlling accesses to networks based on IT systems including embedded systems or distributed systems, it is proposed that observation and evaluation (detection) of the communication in a network (performance of a network communication protocol collation of the observed protocol with a multiplicity of reference protocols, preferably stored in a list, that are usually used in operation- and/or safety-critical networks) be used to independently identify whether an uncritical or critical network is involved in the course of a network access, in particular the setup of a network connectivity, to at least one from at least one network that is uncritical in regard to operation and/or safety, in particular referred to as a standard network, and at least one network that is critical in regard to operation and/or safety.

Abstract: A device for monitoring a component has at least one processor core and a further processor core. The device further includes a determining unit configured to determine a profile of the processor core, the profile being influenced by an input signal applied to the processor core, and to determine a further profile of the further processor core, the further profile being influenced by a further input signal applied to the further processor core. The device further includes a comparison unit configured to compare the profile and the further profile and to generate a fault signal, if a comparison result of a comparison carried out by the comparison unit indicates defective similarity of the profile to the further profile.

Abstract: A method as well as a crypto-arrangement and a computer program product for monitoring an integrity of a test dataset, wherein a random sample of a test dataset is checked for integrity is provided. The method for monitoring an integrity of a test dataset includes the following steps: random sample-type selection of the test dataset from a dataset to be transferred via a communications connection; cryptographically protected provision of the selected test dataset to a test unit, wherein a communication via the communications connection is carried out uninfluenced by the selection and preparation; testing of the cryptographically protected test dataset for integrity by the test unit, based on cryptographic calculations and plausibility information.

Abstract: Adapting access rules for a data interchange between a first network and a second network by the second network is provided based on a service-specific integrity information item of the first network, wherein the first network processes data for carrying out a service and the service defines multiple components. A respective integrity status is transmitted for each of the components by each respective component via a communication link within the first network to a management unit of the first network. The service-specific integrity information item is computed based on each respective integrity status by the management unit. The service-specific integrity information item is transmitted by a network access point of the first network to a receiver in the second network for adapting the access rules. Access by the receiver to each respective integrity status is prevented.

Abstract: In a method and system for securely transferring a message (N) from a transmitter unit (SE) to a receiver unit (EE), a message sent by a transmitter unit (SE) is thereby transmitted to a receiving antenna array (EAA) comprising a plurality of receiving nodes (EK). The receiving nodes (EK) of the receiving antenna array (EAA) each verify the received message as originating from an authorized transmitter unit (SE) before the verified message is forwarded by each receiving node (EK) to the receiving unit (EE). The method and system effectively protects the message transmission from the introduction of undesired data by an attacker, and by an attack wherein the lifespan or operating time of the partially battery-powered nodes is reduced by increased current consumption.

Abstract: Provided is a method and a security module for determining or providing a device-specific private key for an asymmetrical cryptographic process. A device-specific private primary seed is reproducibly formed from a device-specific secret piece of data, and the device-specific private key is determined from the device-specific private primary seed.

Abstract: A network device, two interfaces for connecting to an access-protected access point of a data network and to a network component which is to be allowed access to the data network via the access point. The network device is designed to be authenticated at the access point using authentication data when the access point is connected and the network component is connected and to allow the connected network component to access the data network via the access point in the event of a successful authentication at least for network components which satisfy one or more specified criteria.

Abstract: Provided is a network cabling apparatus and protective apparatus for the protected transmission of data, comprising two protective devices which are assigned to one another and can each be connected to one end of a data transmission device, each protective device having: a first interface for connection to the data transmission apparatus; a second interface for connection to a device; and a crypto unit which has a cryptographic function that can be configured in an equivalent manner on each of the assigned protective devices and which cryptographically protects the data to be transmitted.

Abstract: The invention relates to a method for monitoring a security network interface unit (23), for example a firewall, which receives a stream of data packets via a first interface (21), checks said data stream with respect to filtering rules, and outputs said data stream to a second interface (22). The method has the steps of duplicating and outputting the data stream to the second interface (22), checking the output data stream for inadmissible data traffic, transmitting a warning message to the security network interface unit if inadmissible data traffic is detected in the data stream, and restricting the data stream by means of the security network interface unit if the warning message is received in the security network interface unit (23). The device or the system according to the invention comprises units which are designed to carry out the aforementioned method.

Abstract: A one-way coupling device for the feedback-free transmission of data from the first network with high security requirements into a second network with low security requirements, containing a request unit, an eavesdropping unit and a receiving unit, wherein the request unit is formed so as to provide a first communication link within the first network to at least one device and, moreover, to request first data from the at least one device and then to transmit the first data via a second communication link on a separate line loop of the request unit, and the eavesdropping unit, which is formed so as to eavesdrop on data on the separate line loop and to transmit data to a receiving unit which is arranged in the second network. Also, a corresponding request unit, a corresponding method and a corresponding computer program product is also provided.